Why security matters when it comes to PoPI

The Protection of Personal Information (PoPI) Act has been signed into law and will soon be implemented. This particular piece of legislation has been on the horizon for some time, and most companies have started to put in place processes to ensure they are compliant.

But processes might not be enough: to properly safeguard personal information, IT security is going to have to up its game. Kathy Gibson found out more at an AxizWorkgroup and Micro Focus information session

For organisations that have to become PoPI compliant soon, PoPI is going to have huge implications not only for their policies but how they enable these processes and ensure that they are implemented throughout the organisation.

Information guru Mark Heyink points out that the issue is bigger than many compliance officers think, by virtue of the fact that we live in a connected world. “The Internet changes everything,” he says.

Every one of us is a data subject, Heyink explains, and we are subject to four forces: architecture, market, the law and norms.

The architecture refers to the constantly changing world that we live in – the insider threat of the future could be a fridge or a camera, and changing daily.

“Yes, we can control the environment at a micro-level, but we can’t really control it altogether.”

The market is huge, he adds, but the currency in the new market is people – the users of services who agree to their information being used.

The law, he says, sets the parameters within which organisations and people are allowed to operate. Individuals and organisations still need to manage risk, he adds.

Norms refer to the accepted behaviours within society – and this is the only element of our own information and privacy that we can manage, Heyink says.

Privacy is a constitutional right, he adds. However, it is a personal decision that people take when they do things like setting their passwords or setting boundaries.

“It’s our right, and it must be respected,” Heyink says. “In the 20th century a lot of these rights were trampled on and we need to claw them back.”

If you don’t think privacy breaches are happening in South Africa, you are not paying attention, Heyink says.

Privacy, he says, is the most critical issue. “There are so many different aspects. One of the things we are trying to do is balance the issue of cybersecurity with privacy rights.”

Cyber-war is a reality and other areas of cyber-intrusion are increasing. Big data raises new issues as well.

“We need to look at these things carefully.”

The law in the US doesn’t apply here, Heyink adds, and there is a more commercial view of privacy issues.

In the US, laws apply differently to different industry sectors and, as a result, doesn’t necessarily apply to the individual.

In the wake of 9/11 many laws swept through congress, usurping many individual rights.

Among the implications of the Snowden leaks, Heyink adds, is not just the fact that the government spies on people, but also receives data from organisations that have access to personal data.

The South African legislation is more influenced by laws in Europe, where human rights are often embedded. In fact, Germany has the best human rights regime in the world, Heyink says.

There are also new rights being created in Europe, such as the right to be forgotten, which contribute to privacy.

On 24 May 2016, the EU promulgated the General Data Protection Regulation, which European companies and those dealing with Europe have to comply with it.

In South Africa, the PoPI regulator is expected to be appointed soon, and companies will have a one-year grace period thereafter to become compliant.

With Europe’s GDPR set to come into force on 28 May 2018, it’s likely that PoPI will come into effect on that date as well – and companies that are not on the road to compliance now are well behind the curve, Heyink says.

The act itself is quite long, he adds, but companies that understand and comply with section three will cover about 90% of their obligations.

He definition of personal information is pretty wide, Heyink says, and includes anything that can be related to a specific person. Processing is equally wide, referring to the collection, storage, use and destruction of any information.

Accountability rests of the responsible person, who has to ensure that the law is complied with, that personal information is identified and is processed in an appropriate manner.

This extends to third party operators who may process information on behalf of the responsible person, so companies should ensure that suppliers observe the same care with personal information.

The process limitation clause says that personal information must be processed lawfully and in a responsible manner that doesn’t infringe on people’s privacy. Minimality adds that companies may collect only that information that is relevant for the purpose at hand.

Consent is different to other justifications, which include contract, legal obligation, legitimate interests and public law duty.

There are processing limitations, Heyink says. The first of these is that information needs to be collected directly from the data subject, although there are exceptions including the use of public records deliberately made public by the data subject. This collection mustn’t prejudice the data subject but can be used in the enforcement of law, for court proceedings and in the national interest.

Importantly, data can be collected only for an explicit purpose that is specified upfront. The data subject needs to be aware of the purpose and collection of the personal information.

Further processing has to be compatible with the purpose for which the information was initially collected, and there are guidelines for determining this.

In terms of information quality, the responsible party needs to take reasonably practicable steps to ensure that information remains complete, accurate, not misleading and is updated where necessary.

Openness refers to transparency and makes provision for the ability for data subjects to see their information.

The crux of much of the privacy issue is security, Heyink adds. The act says companies have to put in appropriate measures to secure the confidentiality and integrity of personal information.

There are many standards around information security, he says and companies need to apply these to themselves and to any third party operators.

In addition, they have to inform data subjects and the regulator if there are any security breaches or compromises.

Unsolicited electronic transactions are covered by the act, but applies only to electronic or automated communication. This means that direct marketing is prohibited unless the subject’s consent is obtained, or if the subject is already a customer.

This also means that directories are unlawful unless the people or companies listed therein have consented.

The act also has implications on automated decision-making because data subjects may not be adversely affected, and must be given the opportunity to make representation.

Being that information has no effective borders, the responsible party needs to ensure that trans-border information flows are properly covered by contracts and in fact.

Contracts with all suppliers should be examined in the context of PoPI because there is a cascade effect with various providers who must treat information according to the responsible party’s obligations.

Codes of conduct can go a long way to ensuring the PoPI is observed throughout the value chain, and play a role in education and compliance.

A new twist with PoPI is that penalties can be applied, consisting of fines – which have no limitation – and prison time. Importantly, these penalties could be both criminal and civil.

On a separate note, the Cybercrime and Cybersecurity Bill will soon be presented to cabinet, and Heyink points out that it criminalises several cyber-related offences.

This act also provides for severe penalties for vague offences – even though the capacity to police and prosecute against the issues in the Bill doesn’t actually exist.

Manage identity to minimse breaches

It’s no secret that most security breaches in companies are caused by insider activity – misuse, accidental, disgruntled employees or people being paid by criminal elements.

But, as Micro Focus sales manager Marianne van der Pluym points out, it’s no easy task to figure out who a particular insider is. “And that is the problem: no-one really knows,” she says. “It could be a contractor, an employee, even something inside the organisation.”

What is certain is that hackers are continually looking for ways to get inside organisations, and recognise that the easiest way of doing that is by getting hold of legitimate passwords.

The methods they use to do this range from straightforward spying to social engineering, and often target privileged users.

“These privileged users have higher rights than other users, either administrative rights or access to applications that contain sensitive data,” Van der Pluym says. “So the question is who is monitoring these users, and for how long; also how much privilege do they have.

“These privileged users have become a weak spot in the organisations: they hold the keys to the kingdom and a breach could cause a lot of damage.”

Quite often, the ultimate target for hackers is not the company data itself, but customer records which can contain personal information, credit card details or healthcare records, for example.

“The pressure on organisations to guard against attacks is getting worse,” she says. “They can no longer do nothing. There are implications for breaches that include fines, reputation damage and financial losses through the share price and profits.

“From a legal perspective, there is a responsibility for an organisation to safeguard data and protect against breaches.”

Van der Pluym says Micro Focus offers an identity-powered solution that helps companies to control and manage the identity of users.

“Identity is the common thread in many breaches, so identity relationships are more important than ever. We do this by governing and managing rights; facilitating and controlling access; and monitoring user activity.”